Combinatorics of p-ary Bent Functions

Transcription

1 Combinatorics of p-ary Bent Functions MIDN 1/C Steven Walsh United States Naval Academy 25 April 2014

2 Objectives Introduction/Motivation Definitions Important Theorems Main Results: Connecting Bent Functions to Combinatorical Structures Conclusion

3 Introduction/Motivation Linear feedback shift register: a shift register in which inputs are linear functions of their previous states Can be used to generate pseudo-random sequences that can be used as keystreams in a stream cipher system Example: Fibonacci sequence (mod 2), defined by initial state s 0 = 0, s 1 = 1 and recursive function s n = s n 1 + s n 2 (0,1,1,2,3,5,8,13,21...) (0,1,1,0,1,1,0,1,1...) LFSRs can be broken using the Berlekamp-Massey algorithm

4 Berlekamp-Massey algorithm For a binary LFSR with key length n and maximal length period 2 n 1, only 2n consecutive terms of the sequence are required to determine the coefficients of the LFSR Example: Fibonacci sequence mod 2, key length is 2 and period is 3, so 4 digits are required to decode the LFSR Example: choose a 4-bit subsequence (say, (0,1,1,0)) and use the equation s n = c 1 s n 1 + c 2 s n 2 to solve for c 1 and c 2 and thus, determine the key (c 1, c 2 ): 1 = c 1 (1) + c 2 (0) c 1 = 1 0 = c 1 (1) + c 2 (1) = 1(1) + c 2 (1) c 2 = 1

5 Implementing more secure cipher stream systems LFSRs are very susceptible to decryption through various techniques, including Berlekamp-Massey algorithm and brute force attacks To construct more secure keystreams, utilize bent, or perfectly non-linear, functions non-linearity will generate more random sequences resistant to linear cryptanalysis

6 Definitions and Examples

7 Walsh-Hadamard transform For f : GF (p) n GF (p), the Walsh-Hadamard transform of f is a complex-valued function on GF (p) n defined by: W f (u) = x GF (p) n ζ f (x) u,x where ζ = e 2πi/p (the pth root of unity). f : GF (p) n GF (p) is bent if W f (u) = p n/2 for all u GF (p) n.

8 Partial difference sets Let G be a finite abelian group of order v Let D be a subset of G with cardinality k D is a (v, k, λ)-difference set if the multiset {d 1 d 1 2 d 1, d 2 D} contains every non-identity element of G exactly λ times D is a (v, k, λ, µ)-partial difference set (PDS) if the multiset {d 1 d2 1 d 1, d 2 D} contains every non-identity element of D exactly λ times and every non-identity element of G \ D exactly µ times

9 Cayley graphs Constructing a Cayley graph: Let G be a group, let D G such that 1 / D Let the vertices of the graph be elements of G Two vertices g 1 and g 2 are connected by a directed edge from g 1 to g 2 if g 2 = dg 1 for some d D For a (v, k, λ, µ)-pds D, the Cayley graph X (G, D) is a srg-(v, k, λ, µ) if: X (G, D) has v vertices such that each vertex is connected to k other vertices Distinct vertices g 1 and g 2 share edges with either λ or µ common vertices

10 Bent function correspondences Two known ways to determine whether a function is bent (for p = 2) Dillon correspondence: f : GP(2) n GF (2) is bent if and only if the level curve f 1 (1) = {v GF (2) n f (v) = 1} yields a difference set in GF (2) n with parameters (v, k, λ) = (4m 2, 2m 2 ± m, m 2 ± m) for some integer m Bernasconi correspondence: f : GF (2) n GF (2) is bent if and only if the Cayley graph of f is a srg-(2 n, k, λ, µ), where λ = µ and k = {v GF (2) n f (v) 0}

11 Weighted partial difference sets Let G be a finite abelian multiplicative group of order v and let D be a subset of G of cardinality k. Decompose D into a union of disjoint subsets D = D 1 D 2 D d and assume 1 / D. Let D i = k i.

12 Weighted partial difference sets D is a weighted partial difference set (PDS) if the following properties hold: The multiset D i D 1 j = {d 1 d 1 2 d 1 D i, d 2 D j } represents every non-identity element of D l exactly λ i,j,l times and every non-identity element of G \ D exactly µ i,j times (1 i, j, l d) For each i {1, 2,..., d}, j {1, 2,..., d} such that D 1 i = D j (if D 1 i = D i for all i, then the weighted PDS is symmetric)

13 Weighted Cayley Graphs Construction of a weighted Cayley graph X w (G, D) is similar to that of a standard Cayley graph Let G be a group, D a subset of G Decompose D into a union of subsets D 1 D 2 D d The vertices of the graph are the elements of G Two vertices g 1 and g 2 are connected by an edge of weight k if g 1 = dg 2 for some d D k

14 PDS Example G = GF (3)[x]/(x 2 + 1) = {0, 1, 2, x, x + 1, x + 2, 2x, 2x + 1, 2x + 2} (GF (9), +) D = {1, 2, x, 2x} {d 1 d 1 2 d 1, d 2 D} = {0, 2, 1 + 2x, 1 + x, 0, 1, 2x + 2, x + 2, 0, x + 2, x + 1, 2x, 0, 2x + 2, 2x + 1, x} So D is a (9,4,1,2) partial difference set.

15 Weighted PDS Example G = GF (3)[x]/(x 2 + 1) = {0, 1, 2, x, x + 1, x + 2, 2x, 2x + 1, 2x + 2} (additive group) D 1 = {1, 2}, D 2 = {x, 2x} {d 1 d 1 2 d 1, d 2 D 1 } = {0, 2, 0, 1} {d 1 d 1 2 d 1 D 1, d 2 D 2 } = {2x + 1, x + 1, x + 2, 2x + 2} {d 1 d 1 2 d 1, d 2 D 2 } = {0, 2x, 0, x} λ 1,1,1 = 1, λ 1,1,2 = 0, µ 1,1 = 0 λ 1,2,1 = 0, λ 1,2,2 = 0, µ 1,2 = 1 λ 2,2,1 = 0, λ 2,2,2 = 1, µ 2,2 = 0

16 Corresponding Cayley Graph

17 Using Level Curves as Weighted Partial Difference Sets Let f : GF (p) n GF (p) be a function. One possible way to generate a weighted partial difference set is as follows: G = GF (p) n D 0 = {0} D i = f 1 (i) for i = 1, 2,..., p 1 D p = f 1 (0) {0}

18 Association schemes S is a finite set R 0, R 1,..., R d binary relations on S R 0 = {(x, x) S S x S} R i = {(x, y) S S (y, x) R i } Then (S, R 0, R 1,..., R d ) is a d-class association scheme if: S S = R 0 R 1 R d, with R i R j = for all i j. For each i, j such that Ri = R j For all i, j and all (x, y) S S, define p ij (x, y) = {z S (x, z) R i, (z, y) R j }. For all k and for all (x, y) R k, p ij (x, y) is a constant, denoted p k ij.

19 Corresponding Weighted Partial Difference Sets to Association Schemes Let G be a group with a weighted partial difference set D = D 1 D 2 D d Construct an association scheme as follows: S = G R 0 = {(g, g) G G g G} R i = {(g, h) G G gh 1 D i, g h} (for i = 1, 2,..., d) R d+1 = {(g, h) G G gh 1 / D, g h}

20 Schur rings G a finite abelian group C 0, C 1,..., C d finite subsets of G identify each C i as a formal sum of its elements in C[G] The subalgebra of C[G] generated by C 0, C 1,..., C d is a Schur ring if: C 0 = {1}, the singleton containing the identity G = C 0 C 1 C d, with C i C j = for all i j for each i, j such that C 1 i for all i, j, for some integers p k ij C i C j = = C j d pij k C k, k=0

21 Schur ring example Let G = {ζ k k Z, 0 k 5}, where ζ = e 2πi/6 D 0 = {ζ 0 } = {1}, D 1 = {ζ 2, ζ 4 }, D 2 = {ζ, ζ 3, ζ 5 } By this same process, D 1 D 2 = (ζ 2 + ζ 4 ) (ζ + ζ 3 + ζ 5 ) = ζ 3 + ζ 5 + ζ 7 + ζ 5 + ζ 7 + ζ 9 = 2ζ + 2ζ 3 + 2ζ 5 = 2D 2 D 1 D 1 = 2D 0 + D 1 D 2 D 2 = 3D 0 + 3D 1 Therefore, the intersection numbers for this Schur ring are: p 0 11 = 2, p1 11 = 1, p2 11 = 0 p 0 12 = 0, p1 12 = 0, p2 12 = 2 p 0 22 = 3, p1 22 = 3, p2 22 = 0

22 Adjacency matrices S a finite set {s 1, s 2,, s m } R 0, R 1,, R d defined as above The adjacency matrix of R l is the m m matrix A l whose (i, j)th entry is 1 if (s i, s j ) R l or 0 otherwise We say that a subring A 1,..., A d of C[M m m (Z)] is an adjacency ring or Bose-Mesner algebra if: for each i {0,..., d}, A i is a (0, 1)-matrix, d i=0 A i = J (the all 1 s matrix), for each i {0,..., d}, t A i = A j, for some j {0,..., d}, there is a subset J {0,..., d} such that j J A j = I, and there is a set of non-negative integers {p k ij i, j, k {0,..., d}} such that for all such i, j. d A i A j = pij k A k, k=0

23 Constructing Adjacency Matrices Constructing an adjacency matrix A k from a weighted partial difference set Let G be a group of order v, D = D 1 D d a weighted PDS A k is a v v matrix (i, j)th entry = 1 if i j D k, 0 otherwise Constructing an adjacency matrix A k from a weighted Cayley graph X w (G, D): A k is a v v matrix, where v = G (i, j)th entry = 1 if vertices g i and g j are connected by an edge of weight k

24 Adjacency Matrices for GF (9) Example A 1 = A 2 =

25 Important Theorems

26 Intersection number-matrix theorem G a finite abelian group, D 0,, D d G such that D i D j = if i j, and G is the disjoint union of D 0 D d for each i there is a j such that D 1 = D j, and D i D j = l k=0 p k ij D k for some positive integer p k ij. Then the matrices P k = (p k ij ) 0 i,j d satisfy the following properties: P 0 is a diagonal matrix with entries D 0,, D d For each k, the jth column of P k has sum D j (j = 0,, d). Likewise, the ith row of P k has sum D i (i = 0,, d). i

27 Intersection number-trace theorem Let f : GF (p) n GF (p) be a function, Γ be its Cayley graph. Assume Γ is a weighted strongly regular graph. Let A = (a k,l ) be the adjacency matrix of Γ. Let A i = (ak,l i ) be the (0, 1)-matrix where { 1 if a k,l = i a i k,l = 0 otherwise for each i = 1, 2,..., p 1. Let A 0 = I. Let A p be the (0, 1)-matrix such that A 0 + A A p 1 + A p = J. The intersection numbers p k ij defined by satisfy the formula for all i, j, k = 1, 2,..., p. A i A j = p pij ka k k=0 ( ) 1 pij k = p n Tr(A i A j A k ) D k

28 Connections between intersection numbers Let G = GF (p) n. Let D 0,, D d G such that D i D j = if i j, and G is the disjoint union D 0 D d for each i there is a j such that D 1 D i D j = l k=0 i = D j, and p k ij D k for some positive integer p k ij. Then, for all i, j, k, D k p k ij = D i p i kj.

29 Main Results

30 First result: even bent functions f : GF (3) 2 GF (3) If f is an even, bent function such that f (0) = 0 and the level curves f 1 (i) yield a weighted PDS then one of the following occurs: We have D 1 = D 2 = 2, and the intersection numbers p k ij are given as follows: pij pij pij pij

31 We have D 1 = D 2 = 4, D 3 =, and the intersection numbers p k ij are given as follows: pij pij pij no p 3 ij Since D 3 =, there are no i, j such that D i D j will produce elements of D 3.

32 Chart of even bent functions GF (3) 2 (0, 0) (1, 0) (2, 0) (0, 1) (1, 1) (2, 1) (0, 2) (1, 2) (2, 2) b b b b b b b b b b b b b b b b b b

33 Second result: even bent functions f : GF (3) 3 GF (3) If f is an even, bent function such that f (0) = 0 and the level curves f 1 (i) yield a weighted PDS then one of the following occurs: We have D 1 = 6, D 2 = 12, and the intersection numbers p k ij are given as follows: pij pij pij pij

34 We have D 1 = 12, D 2 = 6, and the intersection numbers p k ij are given as follows: pij pij pij pij

35 Preserving structures under function composition Suppose: f : GF (p) n GF (p) is an even function such that f (0) = 0 D i = f 1 (i) for i GF (p) φ : GF (p) n GF (p) n is a linear map that is invertible (i.e., det φ 0 mod p) g = f φ If the collection of sets D 1, D 2,, D p 1 forms a weighted partial difference set for GF (p) n then so does its image under the function φ. Additionally, the Schur ring associated to the weighted partial difference set of f is isomorphic to the Schur ring associated to the weighted partial difference set of g.

36 Group action Let G be a multiplicative group and let X be a set. G acts on X (on the left) if there exists a map ρ : G X X such that: ρ(1 G, x) = x for all x X ρ(g, ρ(h, x)) = ρ(gh, x) for all g, h G, x X An orbit is any set of the form {ρ(g, x) g G}; we call this the orbit of x.

37 Proof of second result Consider the set E of all functions f : GF (3) 3 GF (3) such that f is even f (0) = 0 the degree of the algebraic normal form of f is at most 4 There are 3 12 = 531, 441 such functions Let B E be the subset of bent functions Let G = GL(3, GF (3)) be the set of linear automorphisms φ : GF (3) 3 GF (3) 3. f E is equivalent to g E if and only if f is sent to g under some element of G.

38 Proof (cont.) signature of f : sequence of cardinalities of the level curves f 1 (1) and f 1 (2). All of the functions in each equivalence class have the same signature. 35 unique signatures across all functions on GF (3) 3 Mathematica was used to find all equivalence classes of functions in E; 281 total equivalence classes, but only 4 classes consist of bent functions. Call these classes B 1, B 2, B 3, B 4 ; then B = B 1 B 2 B 3 B 4

39 Two equivalence classes had signature (6,12) and two classes had signature (12,6) x x x 2 3 represents B 1, a class of 234 functions of signature (6,12) x 1 x 3 + 2x x 2 1 x 2 2 represents B 2, a class of 936 functions of signature (6,12) B 3 = B 1, B 4 = B 2 We conclude through calculation that B 1 corresponds with the first condition of the theorem, while B 3 corresponds to the second condition. B 2 and B 4 do not yield weighted partial difference sets.

40 Conclusions/Further Research Main result is only a partial characterization Certain constraints on the functions Reverse claim? Characterization in GF (5) n Developing non-linear cryptanalysis